Tyupkin ATM Malware: Banks Give Away Cash

Eastern European malware allows attacker to steal 40 bank notes of the highest value in the machine from any infected ATM.

Have you ever wanted to withdraw cash without the debit appearing on your account? How about investing in a key that will allow you to rob ATMs?

It is claimed that an Eastern European gang have developed a new product for carders (people who commit fraud using stolen payment card information). Instead of having to pay for high value items in-store and requesting cash back, they can simply withdraw the cash from any ATM infected by ‘Tyupkin’. The malware, identified by leading cyber security firm Kaspersky Lab, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

Tyupkin, it is claimed, attacks the bank infrastructure directly. While customers’ accounts are not being drained directly, the cost of the fraud is likely to appear on legitimate ATM users’ bank statement in the form of higher charges and the banks seek to transfer the cost of another security flaw to households.

Security weaknesses in ATM designs using Windows 32-bit systems

ATMs run on operating systems including the now unsupported Windows XP with known security weaknesses. Backdoor.MSIL.Tyupkin follows in the wake of Backdoor.Ploutus, malware that uses mobile technology to control an ATM remotely. Discovered in Mexico in April, this is now available in the English language, suggesting that the new variation, Backdoor.Ploutus.B, is already in the US, although evidence of an attack has yet to come to light.

By simply sending a text message to the compromised system, hackers have been able control the ATM using Backdoor.Ploutus, walk up to it, and then collect dispensed cash.

The new attack profile does not seem to involve mobile phones. Rather, the attackers install the malware via bootable CD.copy files into the ATM to allow them to manipulate the device. After some checks of the environment, the malware removes the .lnk file and creates a key in the registry:

The malware is then able to interact with ATM through the standard library MSXFS.dll – Extension for Financial Services (XFS). It runs in an infinite loop waiting for user input. In order to make it more difficult to detect, Tyupkin accepts (by default) commands only on Sunday and Monday nights. It accepts the commands – shown below as ‘XXXXXX’ input:

XXXXXX – Shows the main window.

XXXXXX – Self deletes with a batch file.

XXXXXX – Increases the malware activity period.

XXXXXX – Hides the main window.

After every command the operator must press “Enter” on the ATM’s pin pad. Tyupkin also uses session keys to prevent interaction with random users. After entering the “Show the main window” command, the malware shows the message “ENTER SESSION KEY TO PROCEED!” using a random seed for each session.

The malicious operator must know the algorithm to generate a session key based on the seed shown. Only when this key is successfully entered that it is possible to interact with the infected ATM. After that, the malware shows the following message:

When the operator chooses the cassette number, the ATM dispenses 40 banknotes from it.

Needless to say, they can keep doing this until the fraud is detected by the bank. A great Christmas present for carders all over America!

For those concerned with how secure their information systems are, we can help you implement effective cybersecurity procedures and controls using ISO27001.

ISO27001 is the international information security management best-practice standard that will help you protect your information assets, comply with local compliance requirements and thrive as you give your customers confidence that their information is protected.

Find out more about ISO27001 and our packaged solutions to help you implement the standard at a speed and budget appropriate to you.